Fix out-of-bounds access in read_quoted_text()

The backslash-counting loop in read_quoted_text() ran before the EOF
check. When strcspn() reached the end of the string without finding a
closing quote, the loop accessed offsets past the string boundary:

1. strcspn() sets $at = strlen($sql) (no quote found).
2. Backslash check finds '\' at $at-1 (last byte), counts it ($i=1).
3. Odd count → treats absent quote as escaped, does $at += 1 (past end).
4. Next iteration: strcspn returns 0, $at stays past end.
5. Backslash check accesses $this->sql[strlen($sql)] → PHP warning.

Fix: move the EOF check before the backslash-counting loop so unclosed
strings are detected immediately. Also add a lower-bound guard to the
backward walk to prevent underflow when a quote appears early in the
string.

Author: sirreal

packages/mysql-on-sqlite/src/mysql/class-wp-mysql-lexer.php

@@ -2842,6 +2842,11 @@ private function read_quoted_text(): ?int {
 		while ( true ) {
 			$at += strcspn( $this->sql, $quote, $at );
 
+			// Unclosed string - unexpected EOF.
+			if ( ( $this->sql[ $at ] ?? null ) !== $quote ) {
+				return null; // Invalid input.
+			}
+
 			/*
 			 * By default, quotes can be escaped with a "\".
 			 * When NO_BACKSLASH_ESCAPES SQL mode is active, the "\" treated as
@@ -2852,18 +2857,13 @@ private function read_quoted_text(): ?int {
 			 * "\\\" is an escaped backslash and an escape sequence, and so on.
 			 */
 			if ( ! $no_backslash_escapes ) {
-				for ($i = 0; '\\' === $this->sql[ $at - $i - 1 ]; $i += 1);
+				for ( $i = 0; ( $at - $i - 1 ) >= 0 && '\\' === $this->sql[ $at - $i - 1 ]; $i += 1 );
 				if ( 1 === $i % 2 ) {
 					$at += 1;
 					continue;
 				}
 			}
 
-			// Unclosed string - unexpected EOF.
-			if ( ( $this->sql[ $at ] ?? null ) !== $quote ) {
-				return null; // Invalid input.
-			}
-
 			// Check if the quote is doubled.
 			if ( ( $this->sql[ $at + 1 ] ?? null ) === $quote ) {
 				$at += 2;